On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers.
Superbox media streaming boxes for sale on Walmart.com.
Superbox bills itself as an affordable way for households to stream all of the television and movie content they could possibly want, without the hassle of monthly subscription fees — for a one-time payment of nearly $400.
“Tired of confusing cable bills and hidden fees?,” Superbox’s website asks in a recent blog post titled, “Cheap Cable TV for Low Income: Watch TV, No Monthly Bills.”
“Real cheap cable TV for low income solutions does exist,” the blog continues. “This guide breaks down the best alternatives to stop overpaying, from free over-the-air options to one-time purchase devices that eliminate monthly bills.”
Superbox claims that watching a stream of movies, TV shows, and sporting events won’t violate U.S. copyright law.
“SuperBox is just like any other Android TV box on the market, we can not control what software customers will use,” the company’s website maintains. “And you won’t encounter a law issue unless uploading, downloading, or broadcasting content to a large group.”
A blog post from the Superbox website.
There is nothing illegal about the sale or use of the Superbox itself, which can be used strictly as a way to stream content at providers where users already have a paid subscription. But that is not why people are shelling out $400 for these machines. The only way to watch those 2,200+ channels for free with a Superbox is to install several apps made for the device that enable them to stream this content.
Superbox’s homepage includes a prominent message stating the company does “not sell access to or preinstall any apps that bypass paywalls or provide access to unauthorized content.” The company explains that they merely provide the hardware, while customers choose which apps to install.
“We only sell the hardware device,” the notice states. “Customers must use official apps and licensed services; unauthorized use may violate copyright law.”
Superbox is technically correct here, except for maybe the part about how customers must use official apps and licensed services: Before the Superbox can stream those thousands of channels, users must configure the device to update itself, and the first step involves ripping out Google’s official Play store and replacing it with something called the “App Store” or “Blue TV Store.”
Superbox does this because the device does not use the official Google-certified Android TV system, and its apps will not load otherwise. Only after the Google Play store has been supplanted by this unofficial App Store do the various movie and video streaming apps that are built specifically for the Superbox appear available for download (again, outside of Google’s app ecosystem).
Experts say while these Android streaming boxes generally do what they advertise — enabling buyers to stream video content that would normally require a paid subscription — the apps that enable the streaming also ensnare the user’s Internet connection in a distributed residential proxy network that uses the devices to relay traffic from others.
Ashley is a senior solutions engineer at Censys, a cyber intelligence company that indexes Internet-connected devices, services and hosts. Ashley requested that only her first name be used in this story.
In a recent video interview, Ashley showed off several Superbox models that Censys was studying in the malware lab — including one purchased off the shelf at BestBuy.
“I’m sure a lot of people are thinking, ‘Hey, how bad could it be if it’s for sale at the big box stores?'” she said. “But the more I looked, things got weirder and weirder.”
Ashley said she found the Superbox devices immediately contacted a server at the Chinese instant messaging service Tencent QQ, as well as a residential proxy service called Grass IO.
GET GRASSED
Also known as getgrass[.]io, Grass says it is “a decentralized network that allows users to earn rewards by sharing their unused Internet bandwidth with AI labs and other companies.”
“Buyers seek unused internet bandwidth to access a more diverse range of IP addresses, which enables them to see certain websites from a retail perspective,” the Grass website explains. “By utilizing your unused internet bandwidth, they can conduct market research, or perform tasks like web scraping to train AI.” 
Reached via Twitter/X, Grass founder Andrej Radonjic told KrebsOnSecurity he’d never heard of a Superbox, and that Grass has no affiliation with the device maker.
“It looks like these boxes are distributing an unethical proxy network which people are using to try to take advantage of Grass,” Radonjic said. “The point of grass is to be an opt-in network. You download the grass app to monetize your unused bandwidth. There are tons of sketchy SDKs out there that hijack people’s bandwidth to help webscraping companies.”
Radonjic said Grass has implemented “a robust system to identify network abusers,” and that if it discovers anyone trying to misuse or circumvent its terms of service, the company takes steps to stop it and prevent those users from earning points or rewards.
Superbox’s parent company, Super Media Technology Company Ltd., lists its street address as a UPS store in Fountain Valley, Calif. The company did not respond to multiple inquiries.
According to this teardown by behindmlm.com, a blog that covers multi-level marketing (MLM) schemes, Grass’s compensation plan is built around “grass points,” which are earned through the use of the Grass app and through app usage by recruited affiliates. Affiliates can earn 5,000 grass points for clocking 100 hours usage of Grass’s app, but they must progress through ten affiliate tiers or ranks before they can redeem their grass points (presumably for some type of cryptocurrency). The 10th or “Titan” tier requires affiliates to accumulate a whopping 50 million grass points, or recruit at least 221 more affiliates.
Radonjic said Grass’s system has changed in recent months, and confirmed the company has a referral program where users can earn Grass Uptime Points by contributing their own bandwidth and/or by inviting other users to participate.
“Users are not required to participate in the referral program to earn Grass Uptime Points or to receive Grass Tokens,” Radonjic said. “Grass is in the process of phasing out the referral program and has introduced an updated Grass Points model.”
A review of the Terms and Conditions page for getgrass[.]io at the Wayback Machine shows Grass’s parent company has changed names at least five times in the course of its two-year existence. Searching the Wayback Machine on getgrass[.]io shows that in June 2023 Grass was owned by a company called Wynd Network. By March 2024, the owner was listed as Lower Tribeca Corp. in the Bahamas. By August 2024, Grass was controlled by a Half Space Labs Limited, and in November 2024 the company was owned by Grass OpCo (BVI) Ltd. Currently, the Grass website says its parent is just Grass OpCo Ltd (no BVI in the name).
Radonjic acknowledged that Grass has undergone “a handful of corporate clean-ups over the last couple of years,” but described them as administrative changes that had no operational impact. “These reflect normal early-stage restructuring as the project moved from initial development…into the current structure under the Grass Foundation,” he said.
UNBOXING
Censys’s Ashley said the phone home to China’s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined. She also discovered the streaming boxes included powerful network analysis and remote access tools, such as Tcpdump and Netcat.
“This thing DNS hijacked my router, did ARP poisoning to the point where things fall off the network so they can assume that IP, and attempted to bypass controls,” she said. “I have root on all of them now, and they actually have a folder called ‘secondstage.’ These devices also have Netcat and Tcpdump on them, and yet they are supposed to be streaming devices.”
A quick online search shows various Superbox models and many similar Android streaming devices for sale at a wide range of top retail destinations, including Amazon, BestBuy, Newegg, and Walmart. Newegg.com, for example, currently lists more than three dozen Superbox models. In all cases, the products are sold by third-party merchants on these platforms, but in many instances the fulfillment comes from the e-commerce platform itself.
“Newegg is pretty bad now with these devices,” Ashley said. “Ebay is the funniest, because they have Superbox in Spanish — the SuperCaja — which is very popular.”
Superbox devices for sale via Newegg.com.
Ashley said Amazon recently cracked down on Android streaming devices branded as Superbox, but that those listings can still be found under the more generic title “modem and router combo” (which may be slightly closer to the truth about the device’s behavior).
Superbox doesn’t advertise its products in the conventional sense. Rather, it seems to rely on lesser-known influencers on places like Youtube and TikTok to promote the devices. Meanwhile, Ashley said, Superbox pays those influencers 50 percent of the value of each device they sell.
“It’s weird to me because influencer marketing usually caps compensation at 15 percent, and it means they don’t care about the money,” she said. “This is about building their network.”
A TikTok influencer casually mentions and promotes Superbox while chatting with her followers over a glass of wine.
BADBOX
As plentiful as the Superbox is on e-commerce sites, it is just one brand in an ocean of no-name Android-based TV boxes available to consumers. While these devices generally do provide buyers with “free” streaming content, they also tend to include factory-installed malware or require the installation of third-party apps that engage the user’s Internet address in advertising fraud.
In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud. Google said the BADBOX 2.0 botnet, in addition to compromising multiple types of devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces.
Some of the unofficial Android devices flagged by Google as part of the Badbox 2.0 botnet are still widely for sale at major e-commerce vendors. Image: Google.
Several of the Android streaming devices flagged in Google’s lawsuit are still for sale on top U.S. retail sites. For example, searching for the “X88Pro 10” and the “T95” Android streaming boxes finds both continue to be peddled by Amazon sellers.
Google’s lawsuit came on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals were gaining unauthorized access to home networks by either configuring the products with malicious software prior to the user’s purchase, or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process.
“Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services known to be used for malicious activity,” the FBI said.
The FBI said BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. The original BADBOX was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase.
Riley Kilmer is founder of Spur, a company that tracks residential proxy networks. Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the world’s largest residential proxy network.
Kilmer and others say IPidea is merely a rebrand of 911S5 Proxy, a China-based proxy provider sanctioned last year by the U.S. Department of the Treasury for operating a botnet that helped criminals steal billions of dollars from financial institutions, credit card issuers, and federal lending programs (the U.S. Department of Justice also arrested the alleged owner of 911S5).
How are most IPidea customers using the proxy service? According to the proxy detection service Synthient, six of the top ten destinations for IPidea proxies involved traffic that has been linked to either ad fraud or credential stuffing (account takeover attempts).
Kilmer said companies like Grass are probably being truthful when they say that some of their customers are companies performing web scraping to train artificial intelligence efforts, because a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. By routing this unwelcome traffic through residential IP addresses, Kilmer said, content scraping firms can make it far trickier to filter out.
“Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,” Kilmer told KrebsOnSecurity. “Everybody wanted to monetize their own data pots, and how they monetize that is different across the board.”
SOME FRIENDLY ADVICE
Products like Superbox are drawing increased interest from consumers as more popular network television shows and sportscasts migrate to subscription streaming services, and as people begin to realize they’re spending as much or more on streaming services than they previously paid for cable or satellite TV.
These streaming devices from no-name technology vendors are another example of the maxim, “If something is free, you are the product,” meaning the company is making money by selling access to and/or information about its users and their data.
Superbox owners might counter, “Free? I paid $400 for that device!” But remember: Just because you paid a lot for something doesn’t mean you are done paying for it, or that somehow you are the only one who might be worse off from the transaction.
It may be that many Superbox customers don’t care if someone uses their Internet connection to tunnel traffic for ad fraud and account takeovers; for them, it beats paying for multiple streaming services each month. My guess, however, is that quite a few people who buy (or are gifted) these products have little understanding of the bargain they’re making when they plug them into an Internet router.
Superbox performs some serious linguistic gymnastics to claim its products don’t violate copyright laws, and that its customers alone are responsible for understanding and observing any local laws on the matter. However, buyer beware: If you’re a resident of the United States, you should know that using these devices for unauthorized streaming violates the Digital Millennium Copyright Act (DMCA), and can incur legal action, fines, and potential warnings and/or suspension of service by your Internet service provider.
According to the FBI, there are several signs to look for that may indicate a streaming device you own is malicious, including:
-The presence of suspicious marketplaces where apps are downloaded.
-Requiring Google Play Protect settings to be disabled.
-Generic TV streaming devices advertised as unlocked or capable of accessing free content.
-IoT devices advertised from unrecognizable brands.
-Android devices that are not Play Protect certified.
-Unexplained or suspicious Internet traffic.
This explainer from the Electronic Frontier Foundation delves a bit deeper into each of the potential symptoms listed above.
Wait, I’m confused… These are available, not through third parties on Walmart, but actually through Walmart and BestBuy themselves? How weird.
Pretty sure the grammar was a clue this was sketch, even without reading the article. But surprised they’re allowing those on major big box retailers.
Yes you’re confused. They aren’t sold by Walmart and BestBuy. They are sold through the marketplaces where anyone can post goods.
Still shipped through the retailers, not the third party. I’ve seen things like this on e-bay. Not sure why big box retailers would act as a shipping service though.
$. To compete with Amazon doing exactly that. Which means, like Amazon, lowering standards to the absolute minimum expenditure.
I saw Superbox on sale and said ‘hmm’ when I saw they allow thru-paywall access to premium services like Netflix.
Then I saw it ran Android. Then I read the reviews. Then I tried searching for actual specs. All of it screams no-go.
Major retailers had better get serious about in-house or at least 3rd party vetting of things ‘they’ put up for sale.
Just the advertised claims alone should be enough for retailers to realize, this is not a legal above-board product.
So just how the hell is it still up for sale months later without anyone making a stink? You would think any one of the
premium services it’s backdoor-proxying into would get wise to what obviously is violating their EULAs 100%, no?
Because big box retailers are history and they now need to offer the only thing customers could possibly come in for: content (and for low income mind you).
Just as much or more of a nightmare on Amazon — too difficult to sort brands, aside from just looking at higher price points. It sucks.
Are you really knocking purchasing content in-person, though? While I get the usefulness of online shopping, how many memories and associations in peoples’ lives now are almost solely online, versus stuff people used to do in person (browsing bookstores or music stores for an hour)?
Are we gonna be just sitting around online in ten years going, yo, dude, remember that time people all sat around online talking about router insecurities? Gonna guess that won’t be too memorable. Nebulous memories, man.
“We only sell the hardware device,” But the CLAIMS made in advertising the device aren’t enough to trip something?
Either it’s fraud or it’s false advertising or both.
Both. And to make matters worse, it probably shreds any security and controls so that you can’t stop it.
On the Newsbreak App, I just saw a Chinese device their selling as a Hotspot internet device. It’s about as big as a pager and gives access to unlimited internet for $13 a month after you buy the device. The device must use the 3rd party software as described in this article. China is being very sneaky here and these should be banned. I bet they’re used for spying and geofencing in America once enough people use them. Much like how Musk spies with his satellites.
Or his cars?
Ideally nobody would be buying a damn thing from China ever again. Ideally.
Matt Brown has just proved your point here -> youtu.be/R82pt4rLhBQ – His next vid will analyse the firmware and the matching apk.
I was just about to post this. Interesting video.
Second ones up with another to come. All roads lead to China.
I have a very old Android “Smart” tv – Sony I believe. I have a Ubiquiti firewall. I didn’t know it until I installed the ubiquiti firewall, but this TV “pings” and downloads ads from the internet about every 15 minutes, even when the tv is turned off. I now unplugg the it except when watching TV which we rarely do anymore. Always thought it was strange that the mouse light would light up randomly, now I know why. It doesn’t have a camera, thank goodness.
Michael St. Peters, MO
why would anyone buy an off brand anything from anywhere?
“Gullibility is the art of refusing to exercise the muscle of your mind.”
― Craig D. Lounsbrough
Other than that, who can tell?
‘Free’ Netflix / Peacock / sports / etc sounds pretty (too) good to be true?
I know for sure, a fading sports bar in a forgotten strip mall backwoods Oregon is going to take a real serious look at this – it might help out making payroll next month.
Surely. A lot of people don’t think before they buy. They see “free netflix” or whatever catches the eyes and the rest is rationalizing a mistake in realtime. But then, IS it a mistake, from their vantage? If they don’t understand internet security or hidden proxy networks or malware campaigns, and they’re just trying to get ‘free netflix’ for their xyz small business or brother’s family or whathaveyou, by that math it’s not a bad deal at all up front. “Pays for itself in a year” would be the mantra.
Clearly you’ve never lived in, or known many people outside of, relatively well-off parts of the world. In most countries where a relatively high wage is considered approximately minimum wage in the United States (for example), “off brands” are the norm. I have to say, however, though, many of the products outside of the US that are “off brand” tend to be of somewhat higher quality.
I’d imagine most people in a lower income bracket in the United States, if given a choice between not having something and having a crappy version of something (or a whole lot of crappier somethings), would probably choose the crappy version(s) over nothing. Sometimes it makes sense. Other times, not.
I still remember getting a few brand name things for Christmas, growing up, and then a bunch of “not brand name” things. Pretty sure that’s how a lot of people shop.
Of course, some people just buy stuff like this article mentions because they enjoy the frisson of ‘naughtiness’, even when they can afford the ‘real thing’ (probably more people than care to admit it)… sort of like people who buy knock-offs of brand names for the psychological payoff.
Anyway, this product reminds me of people pirating cable tv two or three decades ago… though I imagine Mr. Krebs’ article probably did more to ‘further’ people considering buying this product than to dissuade people from it.
TFA is about walmart, not a third world buying emporium like temu
“Santa Claus
November 25, 2025
why would anyone buy an off brand anything from anywhere?”
Walmart’s marketplace is a lot like eBay or Amazon sellers. Not sure what you’re getting at here.
that 3rd world users don’t buy from walmart, bestegg, bestbuy, etc.
They buy from ali baba, and a ton of other sites like it. Most countries have an equivalent. What’s your point? Santa (or the genie in Aladdin) is equally unlikely to bring free things from any of those places. Ya might get a decent deal but it won’t be free.
TFA is about walmart, bestbuy, newegg, not ali baba, temu, etc., again 3rd world buyers don’t shop those sites
you’re taking fum very well, again, today, as always, snoopy.
TFA is about Newegg and Bestbuy as well for sure.
make sure to run and snatch the longbow this time, mealy.
Best Buy does not sell these “off the shelf”, although they are available from 3rd-party sellers on Best Buy’s Marketplace.
Thanks for the article, Brian, and calling attention to the sketchy app store practices.
It will be interesting to see what happens if these boxes become a blip on Disney and others’ balance sheets.
To be fair, probably not that large of one. Just like sales of, I dunno, sales of VHS cassettes or video games (which were, like, $60-100) probably didn’t change all THAT much when VHS and game rentals became a thing. People tend to either be willing to pay money for recurring things, or not… often they aren’t the same people willing (or not) to lay out some cash on something once or twice. The business model isn’t really the same. Probably something media companies need to think more about, now that everyone’s gone to streaming and asynchronous programming.
Sounds like a Kodi box (“Kodi” on a rasberry pi) with added malware. For Kodi (previously Xbox Media Center… open source media player for hacked Xboxes) I’m pretty sure you’re required to use a VPN to get any pirated streams. So for anyone interested, you can do this yourself… without this added badness. (though it’s all community software and can’t be guaranteed to be malware-free… but at least it’s not pre-configured to turn your network into a bot) You will certainly be doing something illegal when streaming non-free content. (your VPN should protect you, but your results may vary…)
The live TV is what the SuperBox is great for. All the major sporting events live with decent quality. Kodi has become hot garbage with the awful skins that look like some twelve year old put them together. Everyone I know has gone to Stremio with a debrid server over Kodi.
Even with the Debrid service one needs to get an app that blocks the droves of pop up ads. Steamio is ok but is UI is horrid. A better one is BeeTV or CinemaHD along with a VPN or DNS Blocking app, IP Vanish etc…
“Everyone I know…” HAH!
Better make sure you’re using a deadman switch on that VPN in case you get DC’ed…
github.com/geekau/mediastack
Interesting.
Architect is cissp.
Ad fraud on Google and other Ammurrican scum is incredibly cool and I 100% support it. If you aren’t using AdNauseum you’re making the world worse. I would happily run a server just for this purpose. The only real problem is that this sort of thing may be used for some actually morally bad purpose, like spreading American-loving propaganda or CSAM, and there doesn’t seem to be a way to exclude this.
ahh, my friend, spreading love is never morally bad.
One does not need to spend more than $100 dollars for one of these devices. The $300 plus dollar one is no better hardware wise than the $40-$60 dollar one.
But you’re skipping the big question, do you want this on your network. Not the cost.
might be fun to buy one and audit it to see how vulnerable it’d be and how hard for third parties to make use of (as opposed to just the manufacturer(s)/insiders). I suppose it’d be useful for rerouting traffic; for anyone if it were exploitable (nothing new though, clearly)… only sometimes for doing much more in a (theoretical) home/small office network.
In other words, nothing novel. Just more tempting for people in places that feds might not believe or people would not notice.
If the manuf/insiders are selling/enabling access to mal-campaigners, the result is about the same. You put it on a network and you are opening ports to *.*anybody, and it doesn’t have all those lateral netscan/etc tools for ‘no reason at all’… it’s renting out cargo space to the Greek army once you let it inside the wall.
The bit about it using poisonARPs to kick IP’s and take authorized ports over… that’s scary if you’re not completely locked down redundantly. I can only imagine trying to deal with that on an IT level, someone in sales popping this thing into the LAN so he can watch soccer or something…
Why would I care? Amazon decides they still own my firestick and can dictate what I can use it for so if the web is full of bots you know who to blame.
OK but has Amazon turned you into their ransomware endpoint, or are you just misjudging this?
They decide what you can use it for, EULA, vs using it for things you have no idea about plus illegally.
Even you can see the difference.
The bigger question: Is your Android/Linux based TV that hasn’t been updated for YEARS maybe part of an even larger botnet?
Or the same botnet. But there’s a difference there, those are vulns in EOL abandonware, vs deliberately packing this (up to date) Superbox with tools for ops to move around in your network intentionally as a blind proxy. Out of date Android IOTs is a huge problem, but this is a deliberate and current vector being sold in stores TODAY.
Kinda right.